H(ackers)2O: Attack on City Water Station Destroys Pump

Hackers gained remote access into the control system of the city water utility in Springfield, Illinois, and destroyed a pump last week, according to a report released by a state fusion center and obtained by a security expert.

The hackers were discovered on Nov. 8 when a water district employee noticed problems in the city’s Supervisory Control and Data Acquisition System (SCADA). The system kept turning on and off, resulting in the burnout of a water pump.

Forensic evidence indicates that the hackers may have been in the system as early as September, according to the “Public Water District Cyber Intrusion” report, released by the Illinois Statewide Terrorism and Intelligence Center on Nov. 10.

The intruders launched their attack from IP addresses based in Russia and gained access by first hacking into the network of a software vendor that makes the SCADA system used by the utility. The hackers stole usernames and passwords that the vendor maintained for its customers, and then used those credentials to gain remote access to the utility’s network.

The theft of credentials raises the possibility that other customers using the vendor’s SCADA system may be targeted as well.

“It is unknown, at this time, the number of SCADA usernames and passwords acquired from the software company’s database and if any additional SCADA systems have been attacked as a result of this theft,” the report states, according to Joe Weiss, managing partner of Applied Control Solutions, who obtained a copy of the document and read it to Threat Level.

Control system software vendors often have remote access to customer systems in order to provide maintenance and upgrades to the systems. But this provides a backdoor for intruders to exploit. This is how a Romanian hacker obtained access into restaurant credit card processing systems in the U.S. a few years ago. The point-of-sale systems in several states were installed by a single company, which maintained default usernames and passwords for remote access into the systems that the hacker was able to use to breach them.

In the case of the utility company hack, the fusion report indicates that for two to three months prior to the discovery, operators at the utility noticed “glitches” in the remote access for the SCADA system. The report doesn’t indicate the nature of the glitches, but could refer to problems that legitimate users experienced trying to gain remote access into the system during the time the intruders were using log-in credentials.

“They just figured it’s part of the normal instability of the system,” Weiss told Wired.com. “But it wasn’t until the SCADA system actually turned on and off that they realized something was wrong.”

The fusion report indicates that the SCADA software vendor that was initially hacked prior to the utility company’s compromise is located in the U.S., but Weiss declined to name the city until it’s known which vendor was hacked.

“One thing that is important to find out is whose SCADA system this is,” Weiss said. “If this is a [big software vendor], this could be so ugly, because a biggie would have not only systems in water utilities but a biggie could even be [used] in nukes.”

Weiss initially published details from the report on his blog. He expressed frustration that the information apparently hadn’t been released to other water utilities so they could be on the lookout for similar attacks, complaining that he could find no evidence of the information in reports distributed by the Department of Homeland Security’s Industrial Control System-Cyber Emergency Response Team or other government and industry security lists. “Consequently, none of the water utilities I have spoken to were aware of it,” he wrote.

“There very easily could be other utilities as we speak who have their networks compromised,” he said. “This is unconscionable.”

The report didn’t name the utility company that was attacked or the software vendor that was initially hacked, but the DHS, after queries from reporters, identified the location of the utility company as Springfield, Illinois. City Water, Light and Power supplies utility services to that municipality. A spokeswoman for City Water, Light and Power said the incident did not occur at their utility and suggested it occurred at systems belonging to the Curran-Gardner Township Public Water District.

A woman who answered the phone at Curran-Gardner Friday morning, who would not give her name, said, “I cannot discuss it, and the manager is on vacation,” before hanging up.

A spokesman for Curran-Gardner later reportedly acknowledged that the burnout occurred with a well pump at its plant that services about 2,200 customers outside of Springfield.

“Whether the burnout of that pump was related to this what might or might not have been a hacking, we don’t know,” Don Craven, a water district trustee, told the local State Journal-Register newspaper. “From what we can tell at this point, this is one pump. The water district is up and running and things are fine.”

The DHS statement downplayed the severity of the incident.

“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Illinois,” according to a statement released by DHS spokesman Peter Boogaard. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

The fusion report indicated that the hack into the utility system shared a similarity to a recent hack into an MIT server last June that was used to launch attacks on other systems. In both cases, the intrusions involved PHPMyAdmin, a front-end tool used to manage databases. The MIT server was used to search for systems that were using vulnerable versions of PHPMyAdmin that could then be attacked. In the case of the water utility in Illinois, the fusion report said that the company’s log files contained references to PHPMyAdmin, but didn’t elaborate.

The hack of the SCADA system is the first breach of an industrial control system reported since the Stuxnet worm was found on systems in Iran and elsewhere last year. Stuxnet was the first known digital attack designed to target an industrial control system in order to cause physical damage. In the case of Stuxnet, the worm was designed to commandeer an industrial control system used at a uranium enrichment plant in Iran in order to periodically increase and decrease the speed of centrifuges used to enrich uranium and destroy the devices.

Weiss and other industrial control system experts warned last year that similar attacks would soon begin to target other industrial control systems in the U.S. and elsewhere. But no attacks had materialized – or at least been made public – until now.

“Everybody keeps asking how come you don’t see attacks on SCADA systems? Well, here it is guys,” Weiss said.

UPDATE 8:12am on 11.18.11: To add comment from City Water and Light spokeswoman and from Curran-Gardner.
UPDATE 4:45pm: To add confirmation from Curran-Gardner.

Photo: Cyber security analysts that are part of a Red Team-Blue Team exercise watch their computers during a mock exercise at the Department of Homeland Security’s secretive cyber defense training facility at Idaho National Laboratory. (AP Photo/Mark J. Terrill)

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.